I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

many that do information security well -- by correctly identifying and prioritizing risks, appropriately protecting critical data and promptly mitigating security gaps -- and many that do not.

Organizations that have good security habits ("secure organizations") share certain traits that are lacking in organizations that don't do information security well ("insecure organizations").

In this tip, we'll look at the top 10 traits of secure organizations.

Top 10 good security habits of secure organizations

1. At secure organizations, information security is supported by senior management. Support includes making resources and budget available for information security, as well as clear statements by senior management that information security is a priority for the organization. Since senior managers establish priorities and set the tone for an organization, it is difficult to be a secure organization without their clear and consistent support. As a result of the recent spate of high-profile security breaches, most senior managers now understand the importance of information security and will support information security efforts.

2. Secure organizations regularly identify and document how sensitive data --customer and/or proprietary -- flows in, through and out of the organization. This enables an organization to focus its time, effort and money on protecting its sensitive data. Conversely, it's difficult for an organization to protect what it doesn't know about, and organizations struggle to protect their data if they don't perform this exercise.

Unapproved changes can lead to security vulnerabilities that nobody knows about until there's a breach.

3. Secure organizations create and maintain a formal, documented inventory of all systems that process, transmit or store sensitive data -- including the operating system, if it's physical or virtualized, and what major applications have been installed. Without such an inventory, an organization can't fully understand what systems it must protect. Having such an inventory allows an organization to quickly determine whether a particular security vulnerability is relevant to the organization's systems.

4. Secure organizations segment sensitive systems from non-sensitive systems through jump servers, firewall rules, router ACLs or switch VLANs. This minimizes the attack surface for an organization's sensitive systems and allows access to the systems to be tightly controlled and logged.

5. Secure organizations have a strong change-control process that is rigorously enforced. Changes, including emergency changes, are fully documented then formally reviewed and approved. Unapproved changes can lead to security vulnerabilities that nobody knows about until there's a breach.

6. Secure organizations have a strong configuration management process. Sensitive systems are hardened and built only with necessary functionality via an automated build process or a managed configuration software tool such as Puppet or Chef. After the initial build, configuration software tools, which regularly check the configuration of systems, are used to ensure systems stay hardened or strong change control is used to maintain system configuration and prevent server creep.

7. Secure organizations store as little sensitive information as possible on their systems. Sensitive information that must be kept for business or legal reasons is stored on as few systems as possible per a formal, documented data retention policy and is securely deleted when no longer needed. All stored sensitive information is regularly reviewed and justified.

9. Secure organizations consistently collect and review logs from their sensitive systems. Scripts or automated processes are used to search collected logs for pre-defined events, such as a when new accounts are added. When such events are detected, an alert is sent to the appropriate employee(s) who then investigates the event.

10. Secure organizations regularly test their sensitive systems for vulnerabilities via vulnerability scans or penetration tests. Done correctly and regularly, such tests provide "real world" confirmation that an organization's security controls are working. If an organization is not testing its defenses, hackers will likely do the testing -- and they won't report the results.

Conclusion

The above 10 good security habits can make -- and keep -- an organization secure. With careful planning and design, the traits can become part of the organization without having to purchase or implement fancy, expensive technology.

About the author:Steven Weil, CISSP, CISA, CISM, CRISC, QSA, is an independent security consultant. He has 18 years of experience in information security design, implementation and assessment. He has provided information security services to a wide variety of organizations including government agencies, hospitals, universities, small businesses and large enterprises.

3 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Is there a top-10 list of best traits? If so, I think my organization has about half of them. But this is based on business size, likelihood of an attack, number of teams and staff, amount of resources, and the reality of compliance reporting and records that must be backed up and/or retained.

Good info. Like a road map for anyone who's either starting a business, working with teams that help secure data and facilities or the actual team in the trenches making sure the enterprise stays secure. Not all 10 habits are necessary and a lot of the info is common sense. But I'm constantly surprised at how many common sense tactics slip past the most advanced IT and C-suite professionals.